Critical update won't install after imaging

AVmcclint
Honored Contributor

3b541e0d5ab34d3b8c5dd1cd4accd9a9
After imaging 2016 MBP with a 10.12.1 image (built from the same model) the computer boots up and I immediately get a white square with a spinning gear for several minutes. Then I get the error above. There's no indication of what it's doing and I can't access the log to see what's wrong. The Mac is completely unusable because I have to shut it down or click Try again that never works. What the heck is going on? Anyone know what this is?

1 ACCEPTED SOLUTION

nateboggs
New Contributor II

Apple finally posted a TechNote on this behavior HT207567

If you’re using a network with a firewall. Make sure that you can access to the following hosts on the corresponding ports:

Server TCP Port
gg.apple.com 80 and 443
gnf-mdn.apple.com 443
gnf-mr.apple.com 443
gs.apple.com 80 and 443
ig.apple.com 443
skl.apple.com 443

View solution in original post

56 REPLIES 56

Bhughes
Contributor

I have an open case with Apple on this. This is sloppy Q/A on their part. We're going to halt all new orders of the touch bar laptops if they do not resolve this issue, as they're clearly not compatible with Enterprise networks.

TimT
Contributor

@Bhughes @Bhughes agree 100%.

Went through initial pain getting these touchbar MBP's to work within our infrastructure. Learnt not to nuke the LV and all appeared to be ok. We could partition the LV into our "default" boot and user volumes without wiping the embeddedOS. Imaging worked fine albeit with cheap dumb Ethernet to USB-c dongles which could see our NetBoot set. Decided to update NBI to 10.12.4 and also Base OS to same and now see that when booting into the NBI there is the progress bar downloading and installing the touchbar OS. Eventually gets there then post imaging goes through the same process and again after the final reboot and gets stuck as we are behind corporate proxy. We have external DMZ networks to get around this but that is a painful process. Will go back to the 10.12.3 NBI and base OS and see if that works. Has the location of the embedded OS changed with 10.12.4? We resolved our issues as we believed the embeddedOS in the EFI was wiped when destroying the LV. DEP doesn't suit our environment ( that may have to change in the future) we like mass imaging, when it works, it's simple and quick as we need fast turn around times. We don't have the 6+ hours required to reinstall via Recovery mode.

TimT
Contributor

Definitely now a 10.12.4 issue. reverted NBI and Base OS back to 10.12.3 and the issue goes away. Called Apple and logged it.

Ironic, can't use the 10.12.4 for the OS in either NBI or the Base and can't update our Touch Bar machines to 10.12.4 from or internal SUS as they kernel panic upon reboot. Go Apple!

gabester
Contributor III

@TimC Are you sure you're not just holding it wrong? ;-)

But seriously, my organization builds on a non-internet connected network; our current workaround is to tether to a smartphone for each device as it's rebuilt. To add insult to injury, external Apple resources are generally blocked on our network and when we run OS Updates some - but not all - of the touchbar Macs experience this. What's more, a launchDaemon on the affected Macs then seems to prevent the touchbar from re-establishing its connection to the Mac after downloading the update it thinks it needs to fix EmbeddedOS so we get stuck in a loop of Try Again or Shut Down until we go into Single User mode and disable the implicated LaunchDaemon.

Today I think I found an opportunity to convince Apple to address this correctly - at the screen where you'd choose your WiFi network you can choose <--> "Other Network Options" and the radio button for "My computer does not connect to the Internet." This also drops into the same loop of Shut Down / Try Again but with no way to back out beyond shut down.

Apple clearly needs to address this scenario; they cannot render your device inoperable if it is unable to connect it to the internet. It's one thing to leverage something like Find My iPhone or Back to my Mac to brick a stolen device, but the presumption that these Macs with EmbeddedOS hardware connected to them must be internet-connected by legitimate owners is unacceptable. There are many applications where for data security purposes organizations or individuals may want to keep their Macs air-gapped and isolated from the the Internet!

thoule
Valued Contributor II
they cannot render your device inoperable if it is unable to connect it to the internet

That was exactly my issue with the current setup. And apparently they feel they can and people will continue to purchase their products (not me!). During this connection process, they are validating the OS to confirm it's safe and is secure which is good motivation, but still has a significant cost. Besides the air gap issue you mentioned, what happens when Apple feels your hardware is 'obsolete' and removes support for it?

cywa
New Contributor

Hi guys, please help..

I bought a 2017 13in MBP with Touchbar while on holiday in the USA 2 weeks ago. I brought it back to my home country (Indonesia) and promptly migrated everything from my 2011 Macbook Air...

A few days ago, I ran into this Critical Update Loop problem. I have disabled the firewall of my wifi router, and SOMETIMES it allows me to complete the update & log in normally (other times, it will keep looping and I have to hit RETRY several times until it completes or I give up and try some other time)

Even if it manages to complete, the next time I power off and on again, it will take like 2-3 minutes to boot & that is a sure sign the Critical Update loop is back.

I seriously doubt the local Apple engineers will have a clue. Even if they do, they may be unwilling to help coz I did not purchase my MBP from them... and thus returning my MBP for a replacement is also not an option :(

My OS is already 10.12.5 btw..

How can I resolve this issue once and for all?

@bvrooman: can you please give detailed instructions how to create the package (/usr/standalone/firmware/iBridge1_1Customer.bundle) and add it as a before-reboot package in layman's terms?

Thanx so much for any help...

rqomsiya
Contributor III

Wasn't this issue resolved with the 10.12.6 update?

gabester
Contributor III

@rqomsiya On 10.12.6 and I don't think we've seen it much, but I'm very concerned by Apple's assertion in this technote HT208020 that we will be seeing more of this in the future:

"You must be connected to the Internet when you upgrade your macOS. After your Mac confirms your connection, the Installer uses the model number of your Mac to locate and download a firmware update specific to only that Mac. Only the macOS Installer can download and install the firmware update. Firmware updates can't be done on external devices, like those connected via Target Disk Mode, Thunderbolt, USB, or Firewire."

cwaldrip
Valued Contributor

I'm stuck in the loop and while our firewall is open to all going traffic (and incoming traffic initiated by an outgoing request) I can't get the critical software to install. I've tried our in-house ethernet network and our public facing wifi. Nada.

I was able to use Eric Gomez's blog post to mount the EFI volume from a working machine, copy the contents to a flash drive, boot my problem machine from an external boot drive, and mount it's EFI partition. The problem EFI volume was missing several pieces, so I copied the backup from my flash drive over. Crossed my fingers and restarted. It worked. Yay.

...insert list of expletives directed at apple here...

bearzooka
Contributor

Hey everyone.

I know this isn't a new topic, but we just started piloting TouchBar MacBooks and hit into this issue.

Draws my attention that nobody has said if High Sierra has this "cool feature" of mandatory online activation. Does anybody know if MB with TouchBar also have this problem, or has a better solution came up?

Thanks.

bajuloreng
New Contributor

Hi Everyone,
The integrated ssd in macbook pro 13" w/touchbar was broken and can't be used anymore so I did install sierra from internet recovery into external ssd and stuck with this kind of problem ( A critical software update is required for your mac, but an error was encountered while installing this update). I've checked all the site & port were open.
gg.apple.com 80 and 443
gnf-mdn.apple.com 443
gnf-mr.apple.com 443
gs.apple.com 80 and 443
ig.apple.com 443
skl.apple.com 443
Is there solution for this? please help as I can't use macbook anymore unless I have to get it work by reinstalling.355337bd412f4354b8bdb702aefcac28

Sanchi
Contributor

The only process thats worked for me is Erik Gomez here.

I've tried all kinds of permutations and variations and his is the only one thats worked on our Sierra Touchbar Macs.

Hope that our build engineers won't erase the entire disk instead of just the main volume is strong, but it will eventually happen and when it does, that Mac becomes about as useful as an ashtray on a motorcycle.

Think of trying to automate Eriks process into our build queue where a script deploys the OS image while also copying the relevant data Erik has identified.

I don't like it. Why oh why can't the Touchbar OS be on a protected partition or just part of MacOS? :(

rqomsiya
Contributor III

Strange. I do a complete wipe of the SSD and reinstall 10.12.6 via USB key without issue.

hcgtexas
New Contributor III

So I have a question related to this issue.

Got a touchbar pro, wiped and installed 12.6. Worked fine for a few months, then upgraded to 13.3. then I got the upgrade notification.

I connected to the internet, downloaded the update, and got it. Now every time I try to restart the computer it goes through the same process. I've checked /usr/standalone/firmware/iBridge1_1Customer.bundle and it is there (along with a few other files)

what is actually doing the update check? And how do i get it to stop freaking out?

caboundeh
New Contributor II

I know that I am a little late to this party.
I just ran into this issue while trying to rebuild a MacBook Pro.
If you use the terminal command to erase the hard drive (diskutil eraseDisk apfs "Macintosh HD" disk0) it will create the EFI volume and the install will go as intended.

I am not too sure why it won't create it from Disk Utility.

It should also be mentioned that the above command is run from boot media other than the hard drive in question.
Also, the above command will erase ALL the data on the drive.

fez2k8
New Contributor

So I managed to delete EFI partition, I take I’ve deleted the critical software to run/update the Toichbar. How do I obtain a copy of the EFI with the relevant files in it if I didn’t have a backup in the first place? @bvrooman would any EmbeddedOS work or does it have to be specific to the MacBook? I’m trying to slipstream it into a custom OSX install...

user-OEhQUAVpuG
New Contributor

Can anyone tell me How should we Fresh install the Mac Os after Erasing the whole SSD( not the container or volume) The Big Sur update seems to change the file system completely differently. Does the internet recovery need user partitioning? As I have seen the log My macbook pro cant even find the preflight container.